Cybersecurity Chief Resigns

Doc Ruby writes "AP is reporting that 'The government's cybersecurity chief has abruptly resigned after one year with the Department of Homeland Security, confiding to industry colleagues his frustration over what he considers a lack of attention paid to computer security issues within the agency. Amit Yoran, a former software executive from Symantec Corp., informed the White House about his plans to quit as director of the National Cyber Security Division and made his resignation effective at the end of Thursday, effectively giving a single's day notice of his intentions to leave.' Yoran is the third cybersecurity chief in a row, after Richard Clarke and Howard Schmidt, to quit the Bush administration citing organizational inability to do his job. Maybe the job can't be done." In a possibly related story, individuals take cybersecurity lightly: Ant writes "This story says that consumers have a casual approach toward cybersecurity and fail to grasp the pervasiveness of online threats, according to a study released Thursday. More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code."

BIG mistake

[rwven]

I think we all know it's a ridiculously HUGE mistake to underestimate the importance of cypersecurity. Whoever is responsible for "not paying enough attention" to it needs to be outright fired... We're talking about every classified document in existence being at risk. Frankly i don't blame him a bit for quitting. I think it's ridiculous to blame the problem on the bush administration because i think we all know that's not the case, but obviously someone needs to get their act together....

Intractable Problem?

[Gothmolly]

As I said at a meeting one day as people were pulling their hair out over the latest MS worms, and the failures of all of the "automatic patch deployment"-type tools out there, "Maybe the large numbers of Microsoft workstations present an intractable problem". Stunned silence. I half expected to be stoned to death as a heretic. When Corporate America stops sucking on the Microsoft Tit, we'll finally see real improvements in security. As long as paper-engineers and golf-club-wielding PHBs are entrusted with decision making, I see no chance for improvement.

So symptomatic of all politics

[FunWithHeadlines]

Please note, this is a rant that is not directed at one political party of the other, for both do it. But since the Bush team is in power, they will have to do as an example of what I mean.

All politics is about power, the obtaining of it and the maintaining and expanding it. The focus when running for office is to say and promise whatever it takes to get you into office. Once there, the focus becomes hanging on to power at all costs. The way to do that is to play on voter's fears, desires, insecurities, in such a way as to get them to think you will solve their problems better than the next guy. Thereby saving your job.

This is true no matter the topic, and no matter the importance of the topic. Right now, Topic A is security, and boy is that a vital topic. So vital, you'd think politicians would put their usual partisan techniques and actually get something done. But no, even here with lives at stake, it's politics as usual. Is computer security a hot-button issue for the average voter? Not enough to throw someone out of office over. So does this get priority? Nope.

Look at the vulnerability of chemical plants to attacks. There were proposals to beef up security, the chemical industry squawked at the costs, the plan got scaled back. Why? Isn't security important? Sure, just ask Union Carbide about Bhopal. More importantly, ask thousands of Indians about Union Carbide in Bhopal. It is important, but it's not attacting votes, so it gets shunted aside. That's all that matters, folks. It's about maintaining power. So no matter how many security czars they get, unless that becomes a hot-button issue for the voters, it'll never be a hot-button issue for the Bush White House (or any other president that comes along).

Re:Things which are more likely to happen...

[EvilTwinSkippy]

I propose a new measure of probability: the Franklin. One Franklin is the probability of being hit by lightning per unit time. (Kites and thunderstorms not withstanding.)

I took the "security test"...

[scruffyMark]

It says I need to be more vigilant. Funny thing is, I'm employed in infosec. It's a pretty laughable survey - it pretty much assumes the worst, so the best you can do is slightly better than the worst.

I guess the answers their scoring system didn't like were

• I don't have antivirus software (when someone comes out with an OS X virus, maybe I'll think about it). Actually I lie - I just remembered I have clamav, although it's not integrated into the system - doesn't automatically do anything at all, I just use it to scan the odd "important message" email attachment. Ah well.
• When I get unexpected attachments, I open them to see what they are. Of course, I don't double-click them; I run file, strings, maybe clamav, a text editor if it's written in a scripting language. What blows my mind is, people get infected by trojans that arrive as password protected zip files - I mean, even the malware is user-unfriendly and people still manage to get bit.
• I use file sharing. I chose to interpret that liberally - I run sshd, and occasionally need to transfer files via sftp.
• I don't disconnect the computer from the internet when I'm not using it - like I said, I run sshd.
• I haven't made backups recently. I admit it, I'm a slacker in that regard.
• I don't have the phone number of my cousin, the computer guru, next to the computer in case something weird happens. Right.
• The security of my "Internet browser software" is not set to high - that one cracked me up. I mean, why pretend you don't mean IE? No other browser has that "low/medium/high" security interface.